Flowise CSV Agent Prompt Injection Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in Flowise, a tool for building customized large language model (LLM) applications, prior to version 3.1.0. The issue arises in the CSV_Agents class, where the run method lacks proper sandboxing when executing LLM-generated Python scripts. This vulnerability allows an unauthenticated attacker to execute arbitrary code on the Flowise server by injecting prompts that coax the LLM into generating malicious Python scripts. The executed commands run in the context of the user operating the server.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the Flowise server, with the executed commands running under the user's context.

Reproduction

The vulnerability can be reproduced by sending a prompt injection to a chatflow that uses the CSV Agent node. The injected prompt can be crafted to bypass the agent's input validation and execute commands on the server. This can be done manually or using the provided proof of concept script, which automates the exploitation process.

Remediation

Users are advised to update Flowise to version 3.1.0 or later, where this vulnerability has been patched.